Android package file
The Trojan may arrive as a package with the following name:
When the Trojan is being installed, it requests permissions to perform the following actions:
- Allows read only access to phone state.
- Allows an application to install packages.
- Allows an application to delete packages.
- Allows applications to access information about networks.
- Allows an application to access coarse (e.g., Cell-ID, WiFi) location.
- Allows an application to access fine (e.g., GPS) location.
- Allows applications to open network sockets.
Once installed, the application will display an icon with Chinese text.
The Trojan then silently decrypts and installs the following embedded application package file (APK):
This embedded application package file has no launcher and can only be seen as an installed app under Settings/Manage Apps with the name "Audio".
The embedded application package file connects to the following command and control server:
The Trojan may then perform the following actions:
- Install and overwrite APKs silently
- Uninstall APKs silently
- Run commands as the root user (full device control)
The application allows the user to see various phone and SIM card details, along with some pictures:
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":